Skip to content

Latest commit

 

History

History
152 lines (106 loc) · 8.13 KB

linux-privilege-escalation-checklist.md

File metadata and controls

152 lines (106 loc) · 8.13 KB
description
Checklist for privilege escalation in Linux

Checklist - Linux Privilege Escalation

Best tool to look for Linux local privilege escalation vectors: LinPEAS****

  • List mounted drives
  • Any unmounted drive?
  • Any creds in fstab?
  1. Check for useful software installed
  2. Check for vulnerable software installed
  • Is any unknown software running?
  • Is any software with more privileges that it should have running?
  • Search for exploits for running processes (specially if running of versions)
  • Can you modify the binary of any running process?
  • Monitor processes and check if any interesting process is running frequently
  • Can you read some interesting process memory (where passwords could be saved)?
  • Any writable .service file?
  • Any writable binary executed by a service?
  • Any writable folder in systemd PATH?
  • Any writable timer?
  • Any writable .socket file?
  • Can you communicate with any socket?
  • HTTP sockets with interesting info?
  • Can you communicate with any D-Bus?
  • Enumerate the network to know where you are
  • Open ports you couldn't access before getting a shell inside the machine?
  • Can you sniff traffic using tcpdump?
  • Generic users/groups enumeration
  • Do you have a very big UID? Is the machine vulnerable?
  • Can you escalate privileges thanks to a group you belong to?
  • Clipboard data?
  • Password Policy?
  • Try to use every known password that you have discovered previously to login with each possible user. Try to login also without password.
  • If you have write privileges over some folder in PATH you may be able to escalate privileges
  • Has any binary any unexpected capability?
  • Has any file any unexpected ACL?
  • screen?
  • tmux?
  • Profile files - Read sensitive data? Write to privesc?
  • passwd/shadow files - Read sensitive data? Write to privesc?
  • Check commonly interesting folders for sensitive data
  • Weird Localtion/Owned files, you may have access or alter executable files
  • Modified in last mins
  • Sqlite DB files
  • Hidden files
  • Script/Binaries in PATH
  • Web files (passwords?)
  • Backups?
  • Known files that contains passwords: Use Linpeas and LaZagne
  • Generic search
  • Modify python library to execute arbitrary commands?
  • Can you modify log files? Logtotten exploit
  • Can you modify /etc/sysconfig/network-scripts/? Centos/Redhat exploit
  • Can you write in ini, int.d, systemd or rc.d files?

****Other tricks****

If you want to know about my latest modifications/additions or you have any suggestion for HackTricks or PEASS, ****join the 💬 ****PEASS & HackTricks telegram group here, or follow me on Twitter 🐦@carlospolopm.
If you want to share some tricks with the community you can also submit pull requests to ****https://github.com/carlospolop/hacktricks ****that will be reflected in this book.
Don't forget to give ⭐ on the github to motivate me to continue developing this book.

Buy me a coffee here****